Introduction
- Netfilter - the
packet filter facility built into the 2.4 and later Linux kernels.
- ipchains - the packet filter facility built into the 2.2
Linux kernels. Also the name of the utility program used to configure
and control that facility. Netfilter can be used in ipchains
compatibility mode.
- iptables - the utility program used to configure and
control
Netfilter. The term 'iptables' is often used to refer to the
combination of iptables+Netfilter (with Netfilter not in
ipchains compatibility mode).
The
Shoreline Firewall, more commonly known as "Shorewall", is
high-level tool for configuring Netfilter. You describe your
firewall/gateway requirements using entries in a set of configuration
files. Shorewall reads those configuration files and with the help of
the iptables utility, Shorewall configures Netfilter to match your
requirements. Shorewall can be used on a dedicated firewall system, a
multi-function gateway/router/server or on a standalone GNU/Linux
system. Shorewall does not use Netfilter's ipchains compatibility mode
and can thus take advantage of Netfilter's connection state tracking
capabilities.
This program is free software; you can redistribute it and/or
modify it under the terms of Version 2 of the
GNU General Public License as published by the Free Software
Foundation.
This program is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
General Public License for more details.
You should have received a copy of the GNU General Public License along
with this program; if not, write to the Free Software Foundation, Inc.,
675 Mass Ave, Cambridge, MA 02139, USA
Copyright 2001, 2002, 2003 Thomas M.
Eastep
This is the Shorewall 1.4 Web Site
The information on this site applies only to 1.4.x releases of
Shorewall. For older versions:
Getting Started with Shorewall
New to Shorewall? Start by
selecting the QuickStart Guide
that most closely match your environment and
follow the step by step instructions.
Looking for Information?
The Documentation
Index is a good place to start as is the Quick Search to your
right.
Running Shorewall on Mandrake with a two-interface setup?
If so, the documentation on this site will not apply directly
to your setup. If you want to
use the documentation that you find here, you will want to consider
uninstalling what you have and installing a setup that matches the
documentation on this site. See the Two-interface
QuickStart Guide for
details.
News
8/9/2003 - Snapshot 1.4.6_20030809
http://shorewall.net/pub/shorewall/Snapshots/
ftp://shorewall.net/pub/shorewall/Snapshots/
Problems Corrected since version 1.4.6
- Corrected problem in 1.4.6 where the MANGLE_ENABLED
variable was being tested before it was set.
- Corrected handling of MAC addresses in the SOURCE column of
the tcrules file. Previously, these addresses resulted in an invalid
iptables command.
- The
"shorewall stop" command is now disabled when
/etc/shorewall/startup_disabled exists. This prevents people from
shooting themselves in the foot prior to having configured Shorewall.
- A change introduced in version 1.4.6 caused error messages
during
"shorewall [re]start" when ADD_IP_ALIASES=Yes and ip addresses were
being added to a PPP interface; the addresses were successfully added
in spite of the messages.
The firewall script has been modified to eliminate the error messages
Migration Issues:
- Once you have installed this version of Shorewall, you must
restart Shorewall before you may use the 'drop', 'reject', 'allow' or
'save' commands.
- To maintain strict compatibility with previous versions,
current uses of "shorewall drop" and "shorewall reject" should be
replaced with "shorewall dropall" and "shorewall rejectall"
New Features:
- Shorewall now creates a dynamic blacklisting chain for each
interface defined in /etc/shorewall/interfaces. The 'drop' and 'reject'
commands use the routing table to determine which of these chains is to
be used for blacklisting the specified IP address(es).
Two new commands ('dropall' and 'rejectall') have been introduced that
do what 'drop' and 'reject' used to do; namely, when an address is
blacklisted using these new commands, it will be blacklisted on all of
your firewall's interfaces.
- Thanks to Steve Herber, the 'help' command can now give
command-specific help (e.g., shorewall help <command>).
- A new option "ADMINISABSENTMINDED" has been added to
/etc/shorewall/shorewall.conf. This option has a default value of "No"
for existing users which causes Shorewall's 'stopped' state to
continue as it has been; namely, in the stopped state only traffic
to/from hosts listed in /etc/shorewall/routestopped is accepted.
With ADMINISABSENTMINDED=Yes (the default for new installs), in
addition to traffic to/from the hosts listed in
/etc/shorewall/routestopped, Shorewall will allow:
a) All traffic originating from the firewall itself; and
b) All traffic that is part of or related to an
already-existing connection.
In particular, with ADMINISABSENTMINDED=Yes, a "shorewall stop"
entered through an ssh session will not kill the session.
Note though that even with ADMINISABSENTMINDED=Yes, it is still
possible for people to shoot themselves in the foot.
Example:
/etc/shorewall/nat:
206.124.146.178
eth0:0 192.168.1.5
/etc/shorewall/rules:
ACCEPT net
loc:192.168.1.5 tcp 22
ACCEPT loc
fw tcp 22
From a remote system, I ssh to 206.124.146.178 which establishes an SSH
connection with local system 192.168.1.5. I then create a second SSH
connection
from that computer to the firewall and confidently type "shorewall
stop".
As part of its stop processing, Shorewall removes eth0:0 which kills my
SSH
connection to 192.168.1.5!!!
- Given
the wide range of VPN software, I can never hope to add specific
support for all of it. I have therefore decided to add "generic" tunnel
support.
Generic tunnels work pretty much like any of the other tunnel types.
You usually add a zone to represent the systems at the other end of the
tunnel and you add the appropriate rules/policies to
implement your security policy regarding traffic to/from those systems.
In the /etc/shorewall/tunnels file, you can have entries of the form:
generic:<protocol>[:<port>] <zone> <ip
address> <gateway zones>
where:
<protocol> is the protocol
used by the tunnel
<port> if the protocol
is 'udp' or 'tcp' then this is the destination port number used by the
tunnel.
<zone> is the zone of
the remote tunnel gateway
<ip address> is the IP
address of the remote tunnel gateway.
<gateway zone>
Optional. A comma-separated list of zone
names. If specified, the remote gateway is to be considered part of
these zones.
- An 'arp_filter' option has been added to the
/etc/shorewall/interfaces file. This option causes
/proc/sys/net/ipv4/conf/<interface>/arp_filter to be set with the
result that this interface will only answer ARP 'who-has' requests from
hosts that are routed out through that interface. Setting this option
facilitates testing of your firewall where multiple firewall interfaces
are connected to the same HUB/Switch (all interfaces connected to the
single HUB/Switch should have this option specified). Note that using
such a configuration in a production environment is strongly
recommended against.
8/5/2003 - Shorewall-1.4.6b
Problems Corrected since version 1.4.6:
- Previously, if TC_ENABLED is set to yes in shorewall.conf
then Shorewall would fail to start with the error "ERROR: Traffic
Control requires Mangle"; that problem has been corrected.
- Corrected handling of MAC addresses in the SOURCE column of
the
tcrules file. Previously, these addresses resulted in an invalid
iptables
command.
- The "shorewall stop" command is now disabled when
/etc/shorewall/startup_disabled
exists. This prevents people from shooting themselves in the foot prior
to
having configured Shorewall.
- A change introduced in version 1.4.6 caused error messages
during
"shorewall [re]start" when ADD_IP_ALIASES=Yes and ip addresses were
being
added to a PPP interface; the addresses were successfully added in
spite
of the messages.
The firewall script has been modified to eliminate the error messages.
More News
Jacques Nilo and Eric Wolzak have a LEAF
(router/firewall/gateway on a floppy, CD or compact flash) distribution
called Bering that features Shorewall-1.4.2 and Kernel-2.4.20.
You can find their work at:
http://leaf.sourceforge.net/devel/jnilo
Congratulations to Jacques and Eric on the recent release of
Bering 1.2!!!
This site is hosted by the generous folks at SourceForge.net
Donations
|
Extended Search
|